Solved: Redirecting DNS

Lockout888 · ‎2019-10-20

Running R80.30 for home use, and I want to force my kids devices to use OpenDNS Family Shield DNS Servers, while allowing other devices to use regular DNS Servers.

I was able to do this with DD-WRT via MAC address by using these commands. Even if the DNS Servers were changed on the device manually, they were forced to use Family Shield.

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p tcp --dport 53 -j DNAT --to 208.67.222.123

How do I accomplish this in GAIA?

PhoneBoy · ‎2019-11-05

It seems to me the correct approach is to block DNS to all servers but the ones you want to allow in the Access Policy.
The one(s) allowed would be provided by DHCP.

Destination NAT must be a 1 to 1 mapping (i.e. you cannot map multiple destinations to a single one using a single rule).
If you have clients that MUST use a specific DNS server that's not a preferred one, you could create a specific NAT rule that routes the request to your preferred destination.
Something like:

Original Source: Client IP range
Original Destination: 8.8.8.8
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

View solution in original post

PhoneBoy · ‎2019-10-22

You cannot write rules in terms of a MAC address in the Check Point security policy.
You can do it by IP and create NAT rules, however, with similar effect.

Maarten_Sjouw · ‎2019-10-23

Make sure in your DHCP the kids always get the same IP, then setup an NAT rule with service DNS and their source IP's (in a group) and in the translated add the correct destination DNS server IP.
In the original destination you can test to see if any is allowed, otherwise create a group with known 'Open' DNS servers like 1.1.1.1 Cloudflare, 8.8.8.8 Google, 208.67.220.220 OpenDNS and your providers' DNS servers.

Regards, Maarten

Lockout888 · ‎2019-10-27

I have Original Source = IP Address Range. Original Service = DNS. Original Destination will not allow Any.

When I create a Group for Original Destination and add some common DNS Servers to it, I get this error:

- NAT Rule 9: You cannot use the Network Group (DNS_Common) as the Original Destination.
The Network Group is only valid if the value of the matching translated column is 'Original'.
- Policy verification failed.
--------------------------------------------------------------------------------

cezar_varlan1 · ‎2019-11-05

I have a similar case where some LAN computers have the CKP GW address as DNS. As this one is GAIA, and not GAIA Embedded, it does not support DNS forwarding. I have tried a NAT rule and it does not work properly.

Any ideas on how to approach this subject raised by the original poster?

It looks like bind-like is basic functionality yet it is missing in CKP. The previous firewall was pfSense and we replaced that. Now we have noticed we have some missing functionality - and yes we can just reconfigure all clients to use proper DNS but that is not the point. The point is rather to force unruly or rogue clients (maybe on wifi) to use a filtered or specific DNS and not whatever they like DNS

PhoneBoy · ‎2019-11-05

It seems to me the correct approach is to block DNS to all servers but the ones you want to allow in the Access Policy.
The one(s) allowed would be provided by DHCP.

Destination NAT must be a 1 to 1 mapping (i.e. you cannot map multiple destinations to a single one using a single rule).
If you have clients that MUST use a specific DNS server that's not a preferred one, you could create a specific NAT rule that routes the request to your preferred destination.
Something like:

Original Source: Client IP range
Original Destination: 8.8.8.8
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

John_Tomasetti · ‎2020-01-21

Yep. I have the same requirement.

RFE ID: WZD-515-34316

MariuszT · ‎2024-08-13

Hi,

I know that this topic is old, but... have anything changed in that matter? It would be nice to create only one NAT rule with source *any and prefered DNS server as destination, and not separate rules for each host.

Greetings,

Mariusz

PhoneBoy · ‎2024-08-13

As far as I know, nothing has changed.
However, the above rule might work better like this:

Original Source: All_Internet
Original Destination: All_Internet
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

This should translate any DNS packet traversing your gateway to your preferred DNS server hidden behind the gateway's external IP.
Whether this actually works is a separate question.

dnsmasq is also available, which appears to be enabled in R82 and possible to enable in other releases.
This could be configured as a forwarding DNS server.

MariuszT · ‎2024-08-13

The rule you provided is not accepted during policy installation. The error is the same if in source is used *any/network/group object. It is only allowed to put host object in source field.

PhoneBoy · ‎2024-08-14

You did not create the rule as I described.
The Translated Source must be changed to HIDE (not static as shown)
The Translated Destination must contain the specific DNS server you want to redirect requests to.

MariuszT · ‎2024-08-14

Hi, Thank you for the answer, but I'm not sure what do you mean... translated source (as on the picture in previous post) is in Hide mode (letter H on it). The translated destination is the DNS server in my LAB.

If this is wrong could you please share example how should it look like?

PhoneBoy · ‎2024-08-14

Destination should probably be "any" instead of All_Internet...I believe that should resolve the validation issue.

ClauberTeles · ‎2022-04-30

Hey @PhoneBoy
I know it's been a while since you posted this answer but I'm just replying to thank you. You're a lifesaver.

Are you a member of CheckMates?

Redirecting DNS